Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Customer requirements
Answer:
I worked for several years in a PVC producing company, so I am quite aware that there are PVC grades that are fully interchangeable. My answer is: go and check if your contracts or agreements with customers say anything about the need to inform the customer whenever you change a raw material even if there is no performance change. As a consultant I work with injection molding companies – some have contracts that detail the raw materials to use and any change is a breach of contract; and some have nothing in the contract and can change without communicating to customers.
The following material will provide you information about ISO 9001:
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
How to start ISO 13485 implementation project
Answer:
Once you have the top management support for the project, sou should conduct a gap analysis to determine to what extent your organization is already compliant with ISO 13485 and what needs to be done to achieve full compliance. After determining the gaps, you can define the project plan for the implementation where you will define the activities, documents to be developed, responsibilities and deadlines.
Usually, the first step in the project is defining the procedure for document and record control, and then the quality policy. The next step is to identify the processes and resource management. Then you can conduct risk assessment and define controls for the processes.
Once your processes are set up, you can perform internal audit and management review and you will be ready for the certification audit. -
EMS objectives and procedure
Answer:
No, there is no requirement in ISO 14001 about a mandatory procedure related with EMS objectives and planning to achieve them.
The following material will provide you information about ISO 14001 mandatory and non-mandatory documentation:
- ISO 14001 – List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Quality Assurance vs Quality Control
Answer:
First of all, good luck for your interview.
Quality Control is about having a specification, having a control plan (what to control, by whom, and when, with what sample size), performing that control plan and ensuring that nonconformities are treated.
Quality Assurance is much richer, includes Control but also designing the Control Plan, working with preventive measures like working with suppliers, training workers, includes improving quality by changing procedures, specifications and other items.
Quality Control is focused in meeting quality requirements. Quality Assurance is focused in giving confidence that quality requirements will be met.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
- Making the best out of ISO 9001 Quality Plan - https://advisera.com/9001academy/blog/2015/12/08/making-the-best-out-of-iso-9001-quality-plan/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Organizational unit responsible for ISO standards
Answer:
First of all, I would like to emphasize that the idea you presented won't work very well because:
1) It is not natural to create a separa te "ISO department" because the best persons to run such projects are e.g. Chief Information Security Officer for ISO 27001, Business continuity manager for ISO 22301, etc.
2) The auditors need to be in a separate organizational unit from the personnel that is implementing the standard.
An exception would be if your company is large one (e.g. more than 10,000 employees) - in such case you could have a "Project management office" where a professional project manager would be in charge of the implementation project, and CISO, BC manager and others would be members of the project team.
See also:
- Who should be your project manager for ISO 27001/ISO 22301? https://advisera.com/27001academy/blog/2014/12/01/who-should-be-your-project-manager-for-iso-27001-iso-22301/
- Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
- ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/ -
GDPR Implementation
The two standards you mentioned only cove a small part of the hole privacy framework namely the part relating to security to which art. 32 of the EU GDPR – “Security of processing” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) is referring to.
Unfortunately there are no certifications available as per EU GDPR art. 40 - “Certification” (https://advisera.com/eugdpracademy/gdpr/certification/) to my advice is that you to audit the whole program internally at least until the certifications and code of conduct become available. -
Collecting consent
Answer:
It really does not matter how consent collected as long as the consent is a freely given, specific, informed and unambiguous indication of the
individual’s wishes. You must ensure you keep records so you can demonstrate that consent has been given by the relevant individual. If you want to collect it via telephone you need to record the conversation as well.
If you want to find out more about consent you can check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Risk assessment
The point is, I believe that risk assessments often use tables to analyze the variables. My doubt is how can someone make the necessary analysis of assets, threats and vulnerabilities since there are so many options of them to a single asset? I believe that pointing out all of them would make the analysis larger than it needs to be and it probably wouldn’t be so functional, so probably in the assessments, the standards and laws do not require a full analysis of all assets/procedures.
For example, if I added “hardware” in the table from one of your lectures. Let’s say the risk owner would be the CSO, the threats could be: the CSO himself (due to his actions), fire, electricity outage, unauthorized access, theft, hacking, among many others.
For all these threats is possible to establish a control method to reduce or avoid it, but adding all these point in the inventory table below would make it less effective I guess.
Answer: To make your risk assessment more effective, you should consider the assets, threats, and vulnerabilities to be analysed in terms of the requirements your ISMS must fulfill (e.g., laws, regulations, contracts, business objectives, etc.). By this approach, your assessment will focus on risks that can have perceivable impacts on the business.
Regarding the quantity of elements, I generally use the approach of performing the risk assessment in cycles, where in each cycle I work on a small quantity of risks (5 to 10), also limiting the quantity of assets, threats and vulnerabilities. First I start with the ones perceived as the highest. After each assessment, if I conclude the overall risk level is still unacceptable I perform another cycle (in general I need three to four cycles to finish the assessment). This way you can cover both the highest perceived risks and a quantity of risk that your resources are capable to handle.
2 - Concluding my question, what are the main metrics to establish the main threats and vulnerabilities to an asset, reducing the table and improving effectiveness?
Answer: For the identification of main threats and vulnerabilities to an asset you can rely on historical data (from your own organization or related to your general industry), expert opinion, or specialized material, such as standards recommendations.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
These materials will also help you regarding risk assessment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
ISO 27001 standard
Answer: I'm sorry, but the ISO 27001 standard is an intellectual property of the International Organization for Standardization (ISO), and like so it cannot be sold as part of our toolkits. You can find and bought this standard at this link: https://www.iso.org/standard/54534.html -
ISO 27001 Mandatory documentation
Answer: The text in the Document Management from ISO 27001 Blog refers to the ISO 27001:2005 standard, in which the Procedure for Managing Documents is in fact mandatory. This standard was superseded by ISO 27001:2013, which is now the current standard, and in this version the Procedure for Managing Documents is not mandatory.
These materials will provide you further explanation about the differences between the versions of the standard:
- A first look at the new ISO 27001 https://advisera.com/27001academy/blog/2013/01/28/a-first-look-at-the-new-iso-27001-2013-draft-version/
- Infographic: New ISO 27001 2013 revision – What has changed? https://advisera.com/27001academy/knowledgebase/infographic-new-iso-27001-2013-revision-what-has-changed/
2 - Also, could you share with me how you came up with the Checklist of Mandatory Documentation? I can’t seem to find the source of the information in the ISO 27001:2013 Standard. Not sure if it is there or in another ISO document.
Answer: To identify the mandatory documentation in the standard you have to find the requirements that demand "documented information" to be available, to be kept, to be retained, or any other similar verb or expression. For example:
- The scope shall be available as documented information.
- The organization shall retain documented information about the information security risk assessment process.
This article will provide you further explanation about ISO terminology:
- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/